@super-repo/envx 0.2.3-b.2 → 0.2.3-b.4

package/dist/chunks/commands-D3eQPQO6.js

@@ -0,0 +1,1502 @@
+import { E as decryptValueAsymmetric, S as parseEnv, _ as resolveEnvPaths, a as rotateFiles, b as expandRecord, c as defaultKeysPath, d as DEFAULT_NODE_ENV_MAP, f as detectEnvironment, g as resolveCwdOrWorkspace, h as loadEnv, i as auditFiles, k as isEncrypted, l as readKeysFile, m as listEnvFiles, n as loadDotenvxConfig, o as decryptFiles, p as findWorkspaceRoot, s as encryptFiles, t as writeProcessed, v as validateCmdVariable, w as toRecord, x as log, y as expandEnvSrc } from "./src-D0n2wHDg.js";
+import * as fs from "fs";
+import * as path from "path";
+import yargs from "yargs";
+import { execSync, spawn } from "child_process";
+//#region src/commands/audit.ts
+/**
+* Walk the repo looking for plaintext secrets — committed AWS keys,
+* GitHub PATs, JWTs, Stripe live keys, OpenAI/Anthropic keys, PEM
+* private-key blocks, etc. Designed to run as a pre-commit / pre-push
+* gate so secrets never reach the remote.
+*
+* Findings are printed with the file path, line number, pattern label,
+* and a redacted snippet (the actual secret payload is not printed —
+* only the first/last 4 chars). Exit 1 when any finding is reported.
+*/
+var auditCommand = {
+	command: "audit [paths..]",
+	describe: "Scan one or more paths for plaintext secrets. Exit 1 on findings (suitable as a CI / pre-commit gate).",
+	builder: (yargs) => yargs.positional("paths", {
+		type: "string",
+		array: true,
+		describe: "Directories to scan. Default: current working directory."
+	}).option("ignore", {
+		type: "array",
+		string: true,
+		default: [],
+		describe: "Additional directory or file names to skip (added to the built-in ignore list)."
+	}).option("max", {
+		type: "number",
+		default: 50,
+		describe: "Stop after reporting this many findings (0 = unlimited)."
+	}).option("json", {
+		type: "boolean",
+		default: false,
+		describe: "Emit findings as JSON for downstream tools."
+	}),
+	handler: (argv) => {
+		const rawPaths = argv["paths"];
+		const roots = (rawPaths && rawPaths.length > 0 ? rawPaths : ["."]).map((p) => path.resolve(process.cwd(), p));
+		const ignore = argv["ignore"];
+		const max = argv["max"];
+		const asJson = argv["json"];
+		const { findings, filesScanned } = auditFiles({
+			roots,
+			ignore,
+			max
+		});
+		if (asJson) {
+			process.stdout.write(JSON.stringify({
+				filesScanned,
+				findings
+			}, null, 2) + "\n");
+			if (findings.length > 0) process.exit(1);
+			return;
+		}
+		log.info(`audit: scanned ${filesScanned} file(s) across ${roots.length} root(s)`);
+		if (findings.length === 0) {
+			log.success("no plaintext secrets found");
+			return;
+		}
+		log.dim("─".repeat(60));
+		const grouped = groupByPattern(findings);
+		for (const [patternId, items] of grouped) {
+			console.log("");
+			log.warn(`${items[0].label}  (${items.length} finding(s), id=${patternId})`);
+			for (const f of items) {
+				const rel = path.relative(process.cwd(), f.file);
+				console.log(`  ${rel}:${String(f.line)}`);
+				console.log(`    ${f.snippet.trim()}`);
+			}
+		}
+		console.log("");
+		log.dim("─".repeat(60));
+		log.error(`audit: ${findings.length} finding(s) — review and remove`);
+		log.dim("tip: move secrets into encrypted .env files (`envx encrypt`) and reference them via process.env");
+		process.exit(1);
+	}
+};
+function groupByPattern(findings) {
+	const map = /* @__PURE__ */ new Map();
+	for (const f of findings) {
+		const arr = map.get(f.patternId);
+		if (arr) arr.push(f);
+		else map.set(f.patternId, [f]);
+	}
+	return [...map.entries()];
+}
+//#endregion
+//#region src/commands/bake.ts
+/**
+* Build-time resolver. Loads env files (decrypts, runs resolvers,
+* applies defaults, expands `${VAR}`, validates against the schema,
+* mirrors public vars), then writes the fully-resolved env to a
+* sealed file the bundler can pick up at compile time.
+*
+* Two output formats:
+*   - `.env`-style    (default)  — `KEY=value\n` per line, `KEY=` style
+*   - JSON            (`--json`) — `{ "KEY": "value", ... }` for tools
+*                                 that prefer structured input
+*
+* The output file is plaintext — the entire point — so it must NEVER
+* be committed. The command writes a `# DO NOT COMMIT` banner at the
+* top and refuses to write under `.git/`.
+*/
+var bakeCommand = {
+	command: "bake",
+	describe: "Resolve every ref / encrypted value into a sealed file the bundler can pick up at build time. Output is plaintext — never commit it.",
+	builder: (yargs) => yargs.option("out", {
+		type: "string",
+		default: ".env.resolved",
+		describe: "Output path (relative to cwd). Default: `.env.resolved`. Use `-` for stdout."
+	}).option("json", {
+		type: "boolean",
+		default: false,
+		describe: "Emit as JSON instead of the .env format."
+	}).option("only", {
+		type: "array",
+		string: true,
+		default: [],
+		describe: "Restrict the bake to specific keys (repeatable). Default: every key envx loaded."
+	}).option("public-only", {
+		type: "boolean",
+		default: false,
+		describe: "Bake only the keys safe to ship in a client bundle: every PUBLIC_* source key plus its mirrored copies. Server-only secrets are excluded."
+	}),
+	handler: (argv) => {
+		const cfg = argv["__envxConfig"] ?? {};
+		const out = argv["out"];
+		const asJson = argv["json"];
+		const only = new Set(argv["only"] ?? []);
+		const publicOnly = argv["public-only"];
+		const before = new Set(Object.keys(process.env));
+		loadEnv({
+			envFiles: argv["env"],
+			variables: argv["variables"],
+			cascade: argv["cascade"],
+			vault: argv["vault"],
+			envPath: argv["env-path"],
+			override: argv["override"],
+			quiet: true,
+			...cfg.autoDetect !== void 0 ? { autoDetect: cfg.autoDetect } : {},
+			...cfg.nodeEnvMap !== void 0 ? { nodeEnvMap: cfg.nodeEnvMap } : {},
+			...cfg.required !== void 0 ? { required: cfg.required } : {},
+			...cfg.expand !== void 0 ? { expand: cfg.expand } : {},
+			...cfg.defaults !== void 0 ? { defaults: cfg.defaults } : {},
+			...cfg.workspaceRoot !== void 0 ? { workspaceRoot: cfg.workspaceRoot } : {},
+			...cfg.schema !== void 0 ? { schema: cfg.schema } : {},
+			...cfg.resolvers !== void 0 ? { resolvers: cfg.resolvers } : {},
+			...cfg.publicPrefixes !== void 0 ? { publicPrefixes: cfg.publicPrefixes } : {},
+			...cfg.publicSource !== void 0 ? { publicSource: cfg.publicSource } : {}
+		});
+		let keys = Object.keys(process.env).filter((k) => !before.has(k)).filter((k) => only.size === 0 || only.has(k)).sort();
+		if (publicOnly) {
+			const source = cfg.publicSource ?? "PUBLIC_";
+			const targetPrefixes = cfg.publicPrefixes ?? [];
+			keys = keys.filter((k) => k.startsWith(source) || targetPrefixes.some((p) => k.startsWith(p)));
+		}
+		if (keys.length === 0) {
+			log.warn("bake: nothing to write — no keys matched");
+			process.exit(0);
+		}
+		const values = {};
+		for (const k of keys) {
+			const v = process.env[k];
+			if (typeof v === "string") values[k] = v;
+		}
+		let rendered;
+		if (asJson) rendered = JSON.stringify(values, null, 2) + "\n";
+		else {
+			const lines = [];
+			lines.push("# Generated by `envx bake` — DO NOT COMMIT.");
+			lines.push("# This file contains plaintext resolved secrets.");
+			lines.push("# Add it to .gitignore.");
+			lines.push("");
+			for (const k of keys) lines.push(`${k}=${formatValue(values[k])}`);
+			rendered = lines.join("\n") + "\n";
+		}
+		if (out === "-") {
+			process.stdout.write(rendered);
+			return;
+		}
+		const outAbs = path.resolve(process.cwd(), out);
+		if (outAbs.split(path.sep).includes(".git") || outAbs.endsWith(".git") || outAbs.includes(`${path.sep}.git${path.sep}`)) {
+			log.error(`bake: refusing to write under .git/ — change --out`);
+			process.exit(1);
+		}
+		fs.writeFileSync(outAbs, rendered);
+		log.success(`bake: wrote ${outAbs} (${String(keys.length)} key${keys.length === 1 ? "" : "s"}, ${asJson ? "json" : "dotenv"})`);
+		log.dim("hint: add the path to .gitignore — this file is plaintext");
+	}
+};
+/**
+* Conservative .env value rendering. Quote whenever the value contains
+* whitespace, `#`, `$`, quotes, or newlines so downstream parsers
+* (including envx itself) round-trip cleanly.
+*/
+function formatValue(v) {
+	if (v === "") return "\"\"";
+	if (!/[\s#$"'`\\]/.test(v)) return v;
+	return `"${v.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t")}"`;
+}
+//#endregion
+//#region src/commands/debug.ts
+var debugCommand = {
+	command: "debug",
+	describe: "Show which env files would be loaded and which variables would be applied, without loading them.",
+	handler: (argv) => {
+		const paths = resolveEnvPaths({
+			envFiles: argv["env"],
+			cascade: argv["cascade"]
+		});
+		const rawVars = argv["variables"];
+		const variables = rawVars ? Object.fromEntries(rawVars.map(validateCmdVariable)) : {};
+		log.info(`Paths: ${JSON.stringify(paths)}`);
+		log.info(`Variables: ${JSON.stringify(variables)}`);
+	}
+};
+//#endregion
+//#region src/commands/decrypt.ts
+/** Mirror of `dotenvx decrypt` from upstream — see also encrypt.ts. */
+var decryptCommand = {
+	command: "decrypt",
+	describe: "Decrypt the values in one or more .env files in place using the matching private key in .env.keys.",
+	builder: (yargs) => yargs.option("env-keys-file", {
+		alias: "fk",
+		type: "string",
+		describe: "Path to the .env.keys file (default: ./.env.keys at cwd, regardless of --dir / --env-path)."
+	}).option("key", {
+		alias: "k",
+		type: "array",
+		string: true,
+		describe: "Specific keys (or picomatch globs) to decrypt. Default: all keys."
+	}).option("exclude-key", {
+		alias: "ek",
+		type: "array",
+		string: true,
+		describe: "Keys (or picomatch globs) to leave encrypted."
+	}).option("stdout", {
+		type: "boolean",
+		default: false,
+		describe: "Write the decrypted env contents to stdout instead of saving in place."
+	}).help("h").alias("h", "help"),
+	handler: (argv) => {
+		const envFiles = argv["env"] ?? [".env"];
+		const keys = argv["key"];
+		const excludeKeys = argv["exclude-key"];
+		const envKeysFile = argv["env-keys-file"];
+		const stdout = argv["stdout"] ?? false;
+		const result = decryptFiles({
+			envFiles,
+			...keys ? { keys } : {},
+			...excludeKeys ? { excludeKeys } : {},
+			...envKeysFile ? { envKeysFile } : {}
+		});
+		let hadError = false;
+		for (const processed of result.processedEnvs) {
+			if (processed.error) {
+				hadError = true;
+				log.error(`${processed.envFilepath}: ${processed.error.message}`);
+				if (processed.error.help) log.dim(processed.error.help);
+				continue;
+			}
+			if (stdout) process.stdout.write(processed.envSrc);
+		}
+		if (!stdout) {
+			const { written } = writeProcessed(result.processedEnvs);
+			for (const w of written) log.success(`decrypted ${w}`);
+			if (written.length === 0 && result.unchangedFilepaths.length > 0 && !hadError) log.dim(`no changes (${result.unchangedFilepaths.join(", ")})`);
+		}
+		if (hadError) process.exitCode = 1;
+	}
+};
+//#endregion
+//#region src/commands/diff.ts
+/**
+* Compare two env files key-by-key. Reports:
+*   - keys present only in A
+*   - keys present only in B
+*   - keys present in both with mismatched values
+*
+* Encrypted values are decrypted with .env.keys when available, so the
+* comparison reflects logical values (not ciphertext). When secrets
+* differ, only the fact that they differ is shown — values are masked.
+*
+* Exit code: 0 when files are equivalent, 1 otherwise. Useful as a CI
+* gate to block prod deploys when staging/prod env shapes diverge.
+*/
+var diffCommand = {
+	command: "diff <a> <b>",
+	describe: "Compare two env files; report keys-only-in-a, keys-only-in-b, and value mismatches. Exit 1 on differences.",
+	builder: (yargs) => yargs.positional("a", {
+		type: "string",
+		demandOption: true,
+		describe: "Path to the first env file."
+	}).positional("b", {
+		type: "string",
+		demandOption: true,
+		describe: "Path to the second env file."
+	}).option("show-values", {
+		type: "boolean",
+		default: false,
+		describe: "Show actual differing values (off by default — values are masked since they are usually secrets)."
+	}).option("ignore-keys", {
+		type: "array",
+		default: [],
+		describe: "Keys to ignore (repeatable)."
+	}),
+	handler: (argv) => {
+		const cfg = argv["__envxConfig"] ?? {};
+		const aPath = argv["a"];
+		const bPath = argv["b"];
+		const showValues = argv["show-values"];
+		const ignore = new Set(argv["ignore-keys"] ?? []);
+		const aResolved = resolveOne(aPath);
+		const bResolved = resolveOne(bPath);
+		if (!fs.existsSync(aResolved)) {
+			log.error(`file not found: ${aResolved}`);
+			process.exit(1);
+		}
+		if (!fs.existsSync(bResolved)) {
+			log.error(`file not found: ${bResolved}`);
+			process.exit(1);
+		}
+		const keysFilePath = (cfg.envKeysFile && path.resolve(process.cwd(), cfg.envKeysFile)) ?? resolveCwdOrWorkspace(".env.keys");
+		const aMap = loadDecrypted(aResolved, keysFilePath);
+		const bMap = loadDecrypted(bResolved, keysFilePath);
+		const allKeys = new Set([...Object.keys(aMap), ...Object.keys(bMap)]);
+		const onlyA = [];
+		const onlyB = [];
+		const mismatched = [];
+		for (const k of [...allKeys].sort()) {
+			if (ignore.has(k)) continue;
+			const inA = k in aMap;
+			const inB = k in bMap;
+			if (inA && !inB) onlyA.push(k);
+			else if (!inA && inB) onlyB.push(k);
+			else if (aMap[k] !== bMap[k]) mismatched.push({
+				key: k,
+				a: aMap[k],
+				b: bMap[k]
+			});
+		}
+		log.info(`diff: ${path.relative(process.cwd(), aResolved)} ⇄ ${path.relative(process.cwd(), bResolved)}`);
+		log.dim("─".repeat(60));
+		if (onlyA.length === 0 && onlyB.length === 0 && mismatched.length === 0) {
+			log.success("identical (after decryption)");
+			process.exit(0);
+		}
+		if (onlyA.length > 0) {
+			console.log("");
+			log.warn(`only in a (${onlyA.length}):`);
+			for (const k of onlyA) console.log(`  - ${k}`);
+		}
+		if (onlyB.length > 0) {
+			console.log("");
+			log.warn(`only in b (${onlyB.length}):`);
+			for (const k of onlyB) console.log(`  + ${k}`);
+		}
+		if (mismatched.length > 0) {
+			console.log("");
+			log.warn(`mismatched values (${mismatched.length}):`);
+			for (const m of mismatched) if (showValues) {
+				console.log(`  ~ ${m.key}`);
+				console.log(`      a = ${m.a}`);
+				console.log(`      b = ${m.b}`);
+			} else console.log(`  ~ ${m.key}  (values differ — pass --show-values to display)`);
+		}
+		console.log("");
+		log.dim("─".repeat(60));
+		log.error(`diff: ${onlyA.length} only-in-a, ${onlyB.length} only-in-b, ${mismatched.length} mismatched`);
+		process.exit(1);
+	}
+};
+function resolveOne(p) {
+	if (path.isAbsolute(p)) return p;
+	const direct = path.resolve(process.cwd(), p);
+	if (fs.existsSync(direct)) return direct;
+	return resolveCwdOrWorkspace(p);
+}
+function loadDecrypted(filePath, envKeysFile) {
+	const raw = toRecord(parseEnv(fs.readFileSync(filePath, "utf8")));
+	const keys = readKeysFile(envKeysFile);
+	const out = {};
+	for (const [k, v] of Object.entries(raw)) {
+		if (!isEncrypted(v)) {
+			out[k] = v;
+			continue;
+		}
+		let decrypted = null;
+		for (const privateKeyHex of keys.values()) try {
+			decrypted = decryptValueAsymmetric(v, privateKeyHex);
+			break;
+		} catch {}
+		out[k] = decrypted ?? v;
+	}
+	return out;
+}
+//#endregion
+//#region src/commands/doctor.ts
+/**
+* Run a battery of health checks against the resolved configuration:
+*   1. Workspace + config visibility
+*   2. Env files exist (at least one)
+*   3. Keys file present when any encrypted values exist
+*   4. Every encrypted value decrypts cleanly
+*   5. `required` keys are filled after a dry load
+*   6. Expansion has no cycles and no unresolved references
+*
+* Each check prints a green tick / red cross / yellow tilde. A non-zero
+* exit indicates at least one hard failure (cross). Warnings (tildes)
+* do not affect the exit code so this is safe to run in CI as a gate.
+*/
+var doctorCommand = {
+	command: "doctor",
+	describe: "Run health checks: workspace + config, keys file, decryptability, required keys, expand cycles. Exits non-zero on hard failures.",
+	builder: (yargs) => yargs.option("ignore-required", {
+		type: "boolean",
+		default: false,
+		describe: "Skip the `required` post-load check. Useful when running in environments where the secrets aren't expected to be present yet."
+	}),
+	handler: (argv) => {
+		const cfg = argv["__envxConfig"] ?? {};
+		const cfgSource = argv["__envxConfigSource"];
+		const ignoreRequired = argv["ignore-required"];
+		const workspaceRoot = findWorkspaceRoot();
+		log.info("envx doctor");
+		log.dim("─".repeat(60));
+		let failures = 0;
+		let warnings = 0;
+		section("Workspace + config");
+		pass(`workspace root: ${workspaceRoot}`);
+		if (cfgSource) pass(`config: ${cfgSource}`);
+		else {
+			warn("config: built-in defaults (no envx.config.* found)");
+			warnings += 1;
+		}
+		section("Env files");
+		const paths = resolveEnvPaths({
+			...argv["env"] !== void 0 ? { envFiles: argv["env"] } : {},
+			...argv["cascade"] !== void 0 ? { cascade: argv["cascade"] } : {},
+			...cfg.autoDetect !== void 0 ? { autoDetect: cfg.autoDetect } : {},
+			...cfg.nodeEnvMap !== void 0 ? { nodeEnvMap: cfg.nodeEnvMap } : {}
+		});
+		const subdir = argv["env-path"] ?? (argv["vault"] ? "vault" : "");
+		const resolvedPaths = paths.map((p) => path.isAbsolute(p) ? p : subdir ? resolveCwdOrWorkspace(path.join(subdir, p)) : resolveCwdOrWorkspace(p));
+		const existing = resolvedPaths.filter((p) => fs.existsSync(p));
+		if (existing.length === 0) {
+			fail(`no env files found (looked at ${resolvedPaths.length} candidate(s))`);
+			for (const p of resolvedPaths) log.dim(`     ✗ ${p}`);
+			failures += 1;
+		} else {
+			pass(`${existing.length} of ${resolvedPaths.length} candidate file(s) exist`);
+			for (const p of existing) log.dim(`     ✓ ${p}`);
+			for (const p of resolvedPaths.filter((rp) => !fs.existsSync(rp))) log.dim(`     · ${p}  (skipped — not present)`);
+		}
+		section("Keys file");
+		const keysPath = (cfg.envKeysFile && path.resolve(process.cwd(), cfg.envKeysFile)) ?? defaultKeysPath();
+		if (!existing.some((p) => fileHasEncryptedValues(p))) {
+			pass("no encrypted values present — keys file not required");
+			log.dim(`     (would look at ${keysPath})`);
+		} else if (fs.existsSync(keysPath)) pass(`keys file present: ${keysPath}`);
+		else {
+			fail(`keys file missing: ${keysPath}`);
+			log.dim("     hint: run `envx encrypt` from a machine that has the private key, or restore .env.keys from your secret store");
+			failures += 1;
+		}
+		section("Decryptability");
+		const filesWithSecrets = existing.filter((p) => fileHasEncryptedValues(p));
+		if (filesWithSecrets.length === 0) pass("no encrypted values to verify");
+		else try {
+			const failed = decryptFiles({
+				envFiles: filesWithSecrets,
+				envKeysFile: keysPath
+			}).processedEnvs.filter((p) => p.error);
+			if (failed.length === 0) pass(`${filesWithSecrets.length} file(s) decrypt cleanly`);
+			else for (const f of failed) {
+				fail(`${f.envFilepath}: ${f.error?.code ?? "unknown"} — ${f.error?.message ?? ""}`);
+				failures += 1;
+			}
+		} catch (e) {
+			fail(`decrypt error: ${e.message}`);
+			failures += 1;
+		}
+		section("Required keys");
+		const required = cfg.required ?? [];
+		if (ignoreRequired) {
+			warn("skipped (--ignore-required)");
+			warnings += 1;
+		} else if (required.length === 0) pass("no `required` keys configured");
+		else {
+			const snapshot = { ...process.env };
+			try {
+				loadEnv({
+					envFiles: argv["env"],
+					variables: argv["variables"],
+					cascade: argv["cascade"],
+					vault: argv["vault"],
+					envPath: argv["env-path"],
+					override: argv["override"],
+					quiet: true,
+					...cfg.autoDetect !== void 0 ? { autoDetect: cfg.autoDetect } : {},
+					...cfg.nodeEnvMap !== void 0 ? { nodeEnvMap: cfg.nodeEnvMap } : {},
+					...cfg.expand !== void 0 ? { expand: cfg.expand } : {},
+					...cfg.defaults !== void 0 ? { defaults: cfg.defaults } : {},
+					...cfg.workspaceRoot !== void 0 ? { workspaceRoot: cfg.workspaceRoot } : {}
+				});
+				const missing = required.filter((k) => process.env[k] === void 0 || process.env[k] === "");
+				if (missing.length === 0) pass(`${required.length} key(s) present after load`);
+				else {
+					for (const m of missing) fail(`missing: ${m}`);
+					failures += missing.length;
+				}
+			} finally {
+				for (const k of Object.keys(process.env)) if (!(k in snapshot)) delete process.env[k];
+				Object.assign(process.env, snapshot);
+			}
+		}
+		section("Expansion sanity");
+		const merged = {};
+		for (const f of existing) {
+			const lines = parseEnv(fs.readFileSync(f, "utf8"));
+			Object.assign(merged, toRecord(lines));
+		}
+		const { unresolved, cycles } = expandRecord(merged, { onMissing: "leave" });
+		if (cycles.length === 0 && unresolved.length === 0) pass("no cycles, no unresolved ${VAR} references");
+		else {
+			if (cycles.length > 0) {
+				for (const c of cycles) fail(`cycle: ${c.join(" → ")}`);
+				failures += cycles.length;
+			}
+			if (unresolved.length > 0) {
+				warn(`unresolved references: ${unresolved.join(", ")}`);
+				warnings += 1;
+			}
+		}
+		log.dim("─".repeat(60));
+		if (failures === 0 && warnings === 0) {
+			log.success(`doctor: all checks passed`);
+			process.exit(0);
+		}
+		if (failures === 0) {
+			log.warn(`doctor: ${warnings} warning(s), 0 failure(s)`);
+			process.exit(0);
+		}
+		log.error(`doctor: ${failures} failure(s), ${warnings} warning(s)`);
+		process.exit(1);
+	}
+};
+function section(title) {
+	console.log("");
+	log.info(title);
+}
+function pass(msg) {
+	log.success(`  ✓ ${msg}`);
+}
+function fail(msg) {
+	log.error(`  ✗ ${msg}`);
+}
+function warn(msg) {
+	log.warn(`  ~ ${msg}`);
+}
+function fileHasEncryptedValues(filePath) {
+	try {
+		return parseEnv(fs.readFileSync(filePath, "utf8")).some((l) => l.type === "kv" && isEncrypted(l.value));
+	} catch {
+		return false;
+	}
+}
+//#endregion
+//#region src/commands/encrypt.ts
+/**
+* Mirrors the upstream `dotenvx encrypt` flags so existing muscle
+* memory carries over. The `--env` global doubles as the file list
+* (the upstream calls it `--env-file`); this CLI keeps a single
+* canonical name across subcommands.
+*/
+var encryptCommand = {
+	command: "encrypt",
+	describe: "Encrypt the values in one or more .env files. Generates a private key in .env.keys on first run.",
+	builder: (yargs) => yargs.option("env-keys-file", {
+		alias: "fk",
+		type: "string",
+		describe: "Path to the .env.keys file (default: ./.env.keys at cwd, regardless of --dir / --env-path)."
+	}).option("key", {
+		alias: "k",
+		type: "array",
+		string: true,
+		describe: "Specific keys (or picomatch globs) to encrypt. Default: all keys."
+	}).option("pattern", {
+		alias: "p",
+		type: "array",
+		string: true,
+		describe: "Glob pattern(s) selecting which keys to encrypt. Comma-separated values supported (e.g. `--pattern '*_SECRET,*_TOKEN'`). Repeatable. Equivalent to --key but accepts CSV."
+	}).option("secrets", {
+		type: "boolean",
+		default: false,
+		describe: "Shorthand for the conventional secret-key globs: *_SECRET, *_TOKEN, *_KEY, *_PASSWORD, PASSWORD*, API_*. Mutually exclusive with --key/--pattern."
+	}).option("exclude-key", {
+		alias: "ek",
+		type: "array",
+		string: true,
+		describe: "Keys (or picomatch globs) to leave plaintext."
+	}).option("stdout", {
+		type: "boolean",
+		default: false,
+		describe: "Write the encrypted env contents to stdout instead of saving in place."
+	}).help("h").alias("h", "help"),
+	handler: (argv) => {
+		const envFiles = argv["env"] ?? [".env"];
+		const keys = argv["key"];
+		const patterns = argv["pattern"];
+		const useSecrets = argv["secrets"] ?? false;
+		const excludeKeys = argv["exclude-key"];
+		const envKeysFile = argv["env-keys-file"];
+		const stdout = argv["stdout"] ?? false;
+		const SECRET_PRESETS = [
+			"*_SECRET",
+			"*_TOKEN",
+			"*_KEY",
+			"*_PASSWORD",
+			"PASSWORD*",
+			"API_*"
+		];
+		const fromPatterns = patterns?.flatMap((p) => p.split(",").map((s) => s.trim()).filter(Boolean)) ?? [];
+		const include = [
+			...keys ?? [],
+			...fromPatterns,
+			...useSecrets ? SECRET_PRESETS : []
+		];
+		if ((keys || patterns) && useSecrets) log.warn("encrypt: --secrets combined with --key/--pattern; the union of all globs is encrypted");
+		const result = encryptFiles({
+			envFiles,
+			...include.length > 0 ? { keys: include } : {},
+			...excludeKeys ? { excludeKeys } : {},
+			...envKeysFile ? { envKeysFile } : {}
+		});
+		let hadError = false;
+		for (const processed of result.processedEnvs) {
+			if (processed.error) {
+				hadError = true;
+				log.error(`${processed.envFilepath}: ${processed.error.message}`);
+				if (processed.error.help) log.dim(processed.error.help);
+				continue;
+			}
+			if (stdout) {
+				process.stdout.write(processed.envSrc);
+				continue;
+			}
+			if (processed.privateKeyAdded) log.success(`key added to .env.keys (${processed.privateKeyName ?? "<unknown>"})`);
+		}
+		if (!stdout) {
+			const { written } = writeProcessed(result.processedEnvs);
+			for (const w of written) log.success(`encrypted ${w}`);
+			if (written.length === 0 && result.unchangedFilepaths.length > 0 && !hadError) log.dim(`no changes (${result.unchangedFilepaths.join(", ")})`);
+		}
+		if (hadError) process.exitCode = 1;
+	}
+};
+//#endregion
+//#region src/commands/expand.ts
+/**
+* Decrypts (when needed) and expands variable references in an env
+* file. Mirrors the workflow `decrypt-vault` action — but cycle-safe,
+* supports `${VAR:-default}` / `${VAR:?msg}`, and never silently
+* truncates after N passes.
+*/
+var expandCommand = {
+	command: "expand",
+	describe: "Decrypt (if needed) and expand ${VAR}/$VAR references in an env file. Outputs to stdout by default.",
+	builder: (yargs) => yargs.option("output", {
+		type: "string",
+		describe: "Write the expanded result to this file (default: stdout)."
+	}).option("env-keys-file", {
+		alias: "fk",
+		type: "string",
+		describe: "Path to .env.keys (default: ./.env.keys at cwd, regardless of --dir / --env-path)."
+	}).option("on-missing", {
+		type: "string",
+		choices: [
+			"leave",
+			"empty",
+			"throw"
+		],
+		default: "leave",
+		describe: "How to handle ${UNRESOLVED_VAR}: leave it literal, substitute empty, or fail."
+	}).help("h").alias("h", "help"),
+	handler: (argv) => {
+		const envFiles = argv["env"] ?? [".env"];
+		if (envFiles.length !== 1) {
+			log.error(`expand operates on a single env file at a time; got ${String(envFiles.length)}.`);
+			process.exit(1);
+		}
+		const envFile = envFiles[0];
+		const filepath = path.resolve(envFile);
+		if (!fs.existsSync(filepath)) {
+			log.error(`env file not found: ${envFile}`);
+			process.exit(1);
+		}
+		let envSrc = fs.readFileSync(filepath, "utf8");
+		if (parseEnv(envSrc).some((l) => l.type === "kv" && isEncrypted(l.value))) {
+			const envKeysFile = argv["env-keys-file"];
+			const processed = decryptFiles({
+				envFiles: [envFile],
+				...envKeysFile ? { envKeysFile } : {}
+			}).processedEnvs[0];
+			if (processed?.error) {
+				log.error(`${envFile}: ${processed.error.message}`);
+				if (processed.error.help) log.dim(processed.error.help);
+				process.exit(1);
+			}
+			envSrc = processed.envSrc;
+		}
+		const onMissing = argv["on-missing"];
+		const result = expandEnvSrc(envSrc, { onMissing });
+		for (const v of result.unresolved) log.warn(`unresolved variable: ${v}`);
+		for (const cycle of result.cycles) log.warn(`cycle: ${cycle.join(" → ")}`);
+		const output = argv["output"];
+		if (output) {
+			fs.writeFileSync(path.resolve(output), result.envSrc);
+			log.success(`expanded ${envFile} → ${output}`);
+		} else {
+			process.stdout.write(result.envSrc);
+			if (!result.envSrc.endsWith("\n")) process.stdout.write("\n");
+		}
+	}
+};
+//#endregion
+//#region src/commands/hook.ts
+/**
+* Print eval-able shell exports for every variable loaded from envx's
+* resolved env files. Use to inject the env into the parent shell:
+*
+*   eval "$(envx hook bash)"
+*
+* Three flavors:
+*   - bash / zsh    →  `export KEY='value'`
+*   - fish          →  `set -x KEY 'value'`
+*   - powershell    →  `$env:KEY = 'value'`
+*
+* Diff against the pre-load process.env so we only emit the keys that
+* envx actually loaded (rather than re-exporting every var that
+* happened to already be set).
+*/
+var hookCommand = {
+	command: "hook <shell>",
+	describe: "Print shell exports for the loaded env. `eval \"$(envx hook bash)\"` injects them into the parent shell.",
+	builder: (yargs) => yargs.positional("shell", {
+		type: "string",
+		choices: [
+			"bash",
+			"zsh",
+			"fish",
+			"powershell",
+			"pwsh"
+		],
+		demandOption: true,
+		describe: "Target shell flavor."
+	}).option("only", {
+		type: "array",
+		default: [],
+		describe: "Restrict output to specific keys. By default every key envx loaded is exported."
+	}),
+	handler: (argv) => {
+		const cfg = argv["__envxConfig"] ?? {};
+		const shell = argv["shell"];
+		const only = new Set(argv["only"] ?? []);
+		const before = new Set(Object.keys(process.env));
+		loadEnv({
+			envFiles: argv["env"],
+			variables: argv["variables"],
+			cascade: argv["cascade"],
+			vault: argv["vault"],
+			envPath: argv["env-path"],
+			override: argv["override"],
+			quiet: true,
+			...cfg.autoDetect !== void 0 ? { autoDetect: cfg.autoDetect } : {},
+			...cfg.nodeEnvMap !== void 0 ? { nodeEnvMap: cfg.nodeEnvMap } : {},
+			...cfg.required !== void 0 ? { required: cfg.required } : {},
+			...cfg.expand !== void 0 ? { expand: cfg.expand } : {},
+			...cfg.defaults !== void 0 ? { defaults: cfg.defaults } : {},
+			...cfg.workspaceRoot !== void 0 ? { workspaceRoot: cfg.workspaceRoot } : {}
+		});
+		const newKeys = Object.keys(process.env).filter((k) => !before.has(k)).filter((k) => only.size === 0 || only.has(k)).sort();
+		const lines = [];
+		for (const k of newKeys) {
+			const v = process.env[k];
+			if (v === void 0) continue;
+			lines.push(formatExport(shell, k, v));
+		}
+		if (lines.length > 0) process.stdout.write(lines.join("\n") + "\n");
+	}
+};
+function formatExport(shell, key, value) {
+	switch (shell) {
+		case "bash":
+		case "zsh": return `export ${key}=${shellQuote(value)}`;
+		case "fish": return `set -x ${key} ${shellQuote(value)}`;
+		case "powershell":
+		case "pwsh": return `$env:${key} = ${psQuote(value)}`;
+	}
+}
+/**
+* POSIX-shell single-quote escaping. Single quotes have no escape inside
+* single-quoted strings, so the trick is `'` → `'\''`.
+*/
+function shellQuote(s) {
+	return `'${s.replace(/'/g, "'\\''")}'`;
+}
+/** PowerShell single-quote escaping: `'` → `''`. */
+function psQuote(s) {
+	return `'${s.replace(/'/g, "''")}'`;
+}
+//#endregion
+//#region src/commands/info.ts
+/**
+* Print everything envx knows about the current invocation: which
+* config file it found, the resolved settings, which platform signals
+* are present, what auto-detection produced, the NODE_ENV → suffix
+* map (built-in + user overrides), and the env file paths it would
+* load. Read-only — does not mutate process.env or write any files.
+*/
+var infoCommand = {
+	command: "info",
+	describe: "Show resolved configuration, auto-detection details, NODE_ENV mappings, and which env files would be loaded.",
+	builder: (yargs) => yargs.help("h").alias("h", "help"),
+	handler: (argv) => {
+		const cfg = argv["__envxConfig"] ?? {};
+		const cfgSource = argv["__envxConfigSource"];
+		const cfgOrigin = argv["__envxConfigOrigin"];
+		const workspaceRoot = findWorkspaceRoot();
+		const cwd = process.cwd();
+		log.info("envx info");
+		log.dim("─".repeat(60));
+		log.info("Workspace");
+		line("cwd", cwd);
+		line("workspace root", workspaceRoot === cwd ? `${workspaceRoot}  (none detected — using cwd)` : workspaceRoot);
+		blank();
+		log.info("Config");
+		line("source", cfgSource ?? "(none — built-in defaults)");
+		line("origin", cfgOrigin ?? "defaults");
+		blank();
+		log.info("Resolved settings");
+		line("envFiles", argv["env"] ?? cfg.envFiles ?? [".env"]);
+		line("envPath", argv["env-path"] ?? cfg.envPath ?? "(none)");
+		line("cascade", formatCascade(argv["cascade"] ?? cfg.cascade));
+		line("envKeysFile", formatPath(argv["env-keys-file"] ?? cfg.envKeysFile, cwd, workspaceRoot));
+		line("override", argv["override"] ?? cfg.override ?? false);
+		line("quiet", argv["quiet"] ?? cfg.quiet ?? true);
+		line("autoDetect", cfg.autoDetect ?? true);
+		line("expand", cfg.expand ?? false);
+		line("required", cfg.required && cfg.required.length > 0 ? cfg.required : "(none)");
+		line("defaults", cfg.defaults && Object.keys(cfg.defaults).length > 0 ? cfg.defaults : "(none)");
+		line("workspaceRoot (config)", cfg.workspaceRoot ?? "(auto-detect via findWorkspaceRoot)");
+		line("schema", cfg.schema ? "(configured — runs safeParse() after load)" : "(none)");
+		line("resolvers", cfg.resolvers && Object.keys(cfg.resolvers).length > 0 ? Object.keys(cfg.resolvers).join(", ") : "(none)");
+		line("profiles", cfg.profiles && Object.keys(cfg.profiles).length > 0 ? Object.keys(cfg.profiles).join(", ") : "(none)");
+		line("active profile", argv["profile"] ?? "(none)");
+		blank();
+		log.info("Platform signals (process.env)");
+		line("VERCEL", process.env["VERCEL"] ?? "(unset)");
+		line("VERCEL_ENV", process.env["VERCEL_ENV"] ?? "(unset)");
+		line("NETLIFY", process.env["NETLIFY"] ?? "(unset)");
+		line("CONTEXT", process.env["CONTEXT"] ?? "(unset)");
+		line("NODE_ENV", process.env.NODE_ENV ?? "(unset)");
+		blank();
+		log.info("Auto-detection");
+		const autoDetect = cfg.autoDetect ?? true;
+		if (!autoDetect) line("status", "disabled (autoDetect: false)");
+		else {
+			const detected = detectEnvironment({ ...cfg.nodeEnvMap !== void 0 ? { nodeEnvMap: cfg.nodeEnvMap } : {} });
+			line("source", pickDetectionSource());
+			line("detected", detected);
+			line("→ env file", detected === "root" ? ".env" : `.env.${detected}`);
+		}
+		blank();
+		log.info("NODE_ENV → suffix mapping");
+		log.dim("  (any NODE_ENV value not in this map passes through lowercased,");
+		log.dim("   so e.g. NODE_ENV=qa loads .env.qa)");
+		const userMap = cfg.nodeEnvMap ?? {};
+		const merged = {
+			...DEFAULT_NODE_ENV_MAP,
+			...userMap
+		};
+		const allKeys = Array.from(new Set([...Object.keys(merged)])).sort();
+		for (const k of allKeys) {
+			const v = merged[k] ?? "";
+			const suffix = v === "" ? "(no suffix → .env)" : `.env.${v}`;
+			const origin = userMap[k] === void 0 ? "default" : DEFAULT_NODE_ENV_MAP[k] === void 0 ? "config" : "config (override)";
+			line(`  ${k.padEnd(14)} → ${suffix}`, origin);
+		}
+		blank();
+		log.info("Resolved env file paths (would be loaded in this order)");
+		const paths = resolveEnvPaths({
+			...argv["env"] !== void 0 ? { envFiles: argv["env"] } : {},
+			...argv["cascade"] !== void 0 ? { cascade: argv["cascade"] } : {},
+			autoDetect,
+			...cfg.nodeEnvMap !== void 0 ? { nodeEnvMap: cfg.nodeEnvMap } : {}
+		});
+		if (paths.length === 0) line("(none)", "");
+		else {
+			const subdir = argv["env-path"] ?? (argv["vault"] ? "vault" : "");
+			for (const p of paths) {
+				if (path.isAbsolute(p)) {
+					log.dim(`  ${p}`);
+					continue;
+				}
+				const resolved = subdir ? resolveCwdOrWorkspace(path.join(subdir, p)) : resolveCwdOrWorkspace(p);
+				log.dim(`  ${p}  →  ${resolved}`);
+			}
+		}
+	}
+};
+function line(key, value, suffix) {
+	const v = value === void 0 || value === null ? "(unset)" : Array.isArray(value) ? value.length === 0 ? "[]" : JSON.stringify(value) : typeof value === "object" ? JSON.stringify(value) : String(value);
+	const tail = suffix ? `  ${dim(`(${suffix})`)}` : "";
+	log.dim(`  ${key.padEnd(14)} ${v}${tail}`);
+}
+function blank() {
+	console.log("");
+}
+function dim(s) {
+	return `\x1b[2m${s}\x1b[22m`;
+}
+function formatCascade(cascade) {
+	if (cascade === void 0 || cascade === false) return "(off)";
+	if (cascade === true) return "true (uses auto-detected env name)";
+	return String(cascade);
+}
+function pickDetectionSource() {
+	if (process.env["VERCEL"]) return "Vercel (VERCEL_ENV)";
+	if (process.env["NETLIFY"]) return "Netlify (CONTEXT)";
+	if (process.env.NODE_ENV) return "NODE_ENV";
+	return "(no signals — fallback to .env)";
+}
+function formatPath(raw, cwd, wsRoot) {
+	if (!raw) return `${resolveCwdOrWorkspace(".env.keys", cwd)}  (default: cwd-first, ws-root fallback)`;
+	if (path.isAbsolute(raw)) return `${raw}  (absolute)`;
+	return `${raw}  →  ${path.resolve(cwd, raw)}  (or ${path.resolve(wsRoot, raw)} if not at cwd)`;
+}
+//#endregion
+//#region src/commands/print.ts
+var printCommand = {
+	command: "print <variable>",
+	describe: "Load env files and print the value of a single variable.",
+	builder: (yargs) => yargs.positional("variable", {
+		describe: "Name of the variable to print",
+		type: "string",
+		demandOption: true
+	}),
+	handler: (argv) => {
+		loadEnv({
+			envFiles: argv["env"],
+			variables: argv["variables"],
+			cascade: argv["cascade"],
+			vault: argv["vault"],
+			envPath: argv["env-path"],
+			override: argv["override"],
+			quiet: argv["quiet"]
+		});
+		const name = argv["variable"];
+		const value = process.env[name];
+		process.stdout.write(value != null ? `${value}\n` : "\n");
+	}
+};
+//#endregion
+//#region src/commands/rotate.ts
+/**
+* Rotate the asymmetric keypair for one or more env files. Generates a
+* fresh secp256k1 keypair, decrypts existing values with the old
+* private key, re-encrypts with the new public key, and updates both
+* the `ENVX_PUBLIC_KEY*` header in the env file and the
+* `ENVX_PRIVATE_KEY*` entry in `.env.keys`.
+*
+* Files without a public-key header surface an error — run
+* `envx encrypt` against them first to set up the keypair.
+*/
+var rotateCommand = {
+	command: "rotate",
+	describe: "Rotate the asymmetric keypair for one or more env files.",
+	builder: (yargs) => yargs.option("env-keys-file", {
+		alias: "fk",
+		type: "string",
+		describe: "Path to the .env.keys file (default: ./.env.keys at cwd). Relative paths resolve against each env file's directory."
+	}).option("key", {
+		alias: "k",
+		type: "array",
+		string: true,
+		describe: "Specific keys (or picomatch globs) to rotate. Default: all encrypted keys."
+	}).option("exclude-key", {
+		alias: "ek",
+		type: "array",
+		string: true,
+		describe: "Keys (or picomatch globs) to leave with their existing ciphertext."
+	}).help("h").alias("h", "help"),
+	handler: (argv) => {
+		const envFiles = argv["env"] ?? [".env"];
+		const keys = argv["key"];
+		const excludeKeys = argv["exclude-key"];
+		const envKeysFile = argv["env-keys-file"];
+		const result = rotateFiles({
+			envFiles,
+			...keys ? { keys } : {},
+			...excludeKeys ? { excludeKeys } : {},
+			...envKeysFile ? { envKeysFile } : {}
+		});
+		let hadError = false;
+		for (const processed of result.processedEnvs) if (processed.error) {
+			hadError = true;
+			log.error(`${processed.envFilepath}: ${processed.error.message}`);
+			if (processed.error.help) log.dim(processed.error.help);
+		}
+		const { written } = writeProcessed(result.processedEnvs);
+		for (const w of written) log.success(`rotated ${w}`);
+		if (written.length === 0 && result.unchangedFilepaths.length > 0 && !hadError) log.dim(`no changes (${result.unchangedFilepaths.join(", ")})`);
+		if (hadError) process.exitCode = 1;
+	}
+};
+//#endregion
+//#region src/commands/run.ts
+var runCommand = {
+	command: "run [command..]",
+	aliases: ["$0"],
+	describe: "Load env files into process.env and execute a command. Default subcommand — `dotenvx-run [command]` is equivalent.",
+	builder: (yargs) => yargs.positional("command", {
+		describe: "Command to execute after loading env files",
+		type: "string",
+		array: true
+	}),
+	handler: (argv) => {
+		const command = (argv["command"] ?? []).join(" ");
+		const cfg = argv["__envxConfig"] ?? {};
+		loadEnv({
+			envFiles: argv["env"],
+			variables: argv["variables"],
+			cascade: argv["cascade"],
+			vault: argv["vault"],
+			envPath: argv["env-path"],
+			override: argv["override"],
+			quiet: argv["quiet"],
+			...cfg.autoDetect !== void 0 ? { autoDetect: cfg.autoDetect } : {},
+			...cfg.nodeEnvMap !== void 0 ? { nodeEnvMap: cfg.nodeEnvMap } : {},
+			...cfg.required !== void 0 ? { required: cfg.required } : {},
+			...cfg.expand !== void 0 ? { expand: cfg.expand } : {},
+			...cfg.defaults !== void 0 ? { defaults: cfg.defaults } : {},
+			...cfg.workspaceRoot !== void 0 ? { workspaceRoot: cfg.workspaceRoot } : {},
+			...cfg.schema !== void 0 ? { schema: cfg.schema } : {},
+			...cfg.resolvers !== void 0 ? { resolvers: cfg.resolvers } : {},
+			...Array.isArray(argv["public-prefix"]) && argv["public-prefix"].length > 0 ? { publicPrefixes: argv["public-prefix"] } : cfg.publicPrefixes !== void 0 ? { publicPrefixes: cfg.publicPrefixes } : {},
+			...cfg.publicSource !== void 0 ? { publicSource: cfg.publicSource } : {}
+		});
+		if (!command) return;
+		log.info(`Running: ${command}`);
+		try {
+			execSync(command, { stdio: "inherit" });
+			log.success(`Command completed: ${command}`);
+		} catch (error) {
+			const msg = error instanceof Error ? error.message : String(error);
+			log.error(`Command failed: ${msg}`);
+			process.exit(1);
+		}
+	}
+};
+//#endregion
+//#region src/commands/template.ts
+/**
+* Generate (or check) a stripped `.env.example` from one or more real
+* env files. Values are removed; keys, declaration order, comments,
+* and blank lines are preserved so the example file stays readable.
+*
+* Three modes:
+*   - default:  write the rendered template to --out (default `.env.example`)
+*   - --stdout: print to stdout (don't touch disk)
+*   - --check:  exit non-zero if the on-disk template is out of date
+*/
+var templateCommand = {
+	command: "template",
+	describe: "Emit a value-stripped .env.example from your real env files (or `--check` it for drift).",
+	builder: (yargs) => yargs.option("out", {
+		type: "string",
+		describe: "Output path. Default: `<cwd>/.env.example`."
+	}).option("stdout", {
+		type: "boolean",
+		default: false,
+		describe: "Print template to stdout instead of writing to disk."
+	}).option("check", {
+		type: "boolean",
+		default: false,
+		describe: "Compare the rendered template against the on-disk file; exit 1 on drift. Use this in CI."
+	}).option("annotate", {
+		type: "boolean",
+		default: true,
+		describe: "Prefix each KEY= with a `# from <source-file>` comment so reviewers can see where each key came from."
+	}),
+	handler: (argv) => {
+		const cfg = argv["__envxConfig"] ?? {};
+		const outArg = argv["out"];
+		const useStdout = argv["stdout"];
+		const check = argv["check"];
+		const annotate = argv["annotate"];
+		const paths = resolveEnvPaths({
+			...argv["env"] !== void 0 ? { envFiles: argv["env"] } : {},
+			...argv["cascade"] !== void 0 ? { cascade: argv["cascade"] } : {},
+			...cfg.autoDetect !== void 0 ? { autoDetect: cfg.autoDetect } : {},
+			...cfg.nodeEnvMap !== void 0 ? { nodeEnvMap: cfg.nodeEnvMap } : {}
+		});
+		const subdir = argv["env-path"] ?? (argv["vault"] ? "vault" : "");
+		const existing = paths.map((p) => path.isAbsolute(p) ? p : subdir ? resolveCwdOrWorkspace(path.join(subdir, p)) : resolveCwdOrWorkspace(p)).filter((p) => fs.existsSync(p));
+		if (existing.length === 0) {
+			log.error("no env files found to template from");
+			process.exit(1);
+		}
+		const rendered = renderTemplate(existing, { annotate });
+		if (useStdout) {
+			process.stdout.write(rendered);
+			return;
+		}
+		const outPath = path.resolve(process.cwd(), outArg ?? ".env.example");
+		if (check) {
+			if ((fs.existsSync(outPath) ? fs.readFileSync(outPath, "utf8") : "") === rendered) {
+				log.success(`template up to date: ${outPath}`);
+				return;
+			}
+			log.error(`template drift: ${outPath} is out of date`);
+			log.dim("hint: run `envx template` (without --check) to update it");
+			process.exit(1);
+		}
+		fs.writeFileSync(outPath, rendered);
+		log.success(`wrote template: ${outPath} (${countKeys(rendered)} key(s))`);
+	}
+};
+function renderTemplate(files, opts) {
+	const seen = /* @__PURE__ */ new Set();
+	const out = [];
+	out.push("# Generated by `envx template` — do not edit by hand.");
+	out.push("# Run `envx template` to regenerate, or `envx template --check` in CI.");
+	out.push("");
+	for (const file of files) {
+		const display = path.relative(process.cwd(), file) || file;
+		const lines = parseEnv(fs.readFileSync(file, "utf8"));
+		const localKeys = [];
+		for (const ln of lines) {
+			if (ln.type !== "kv") continue;
+			if (seen.has(ln.key)) continue;
+			seen.add(ln.key);
+			localKeys.push(ln);
+		}
+		if (localKeys.length === 0) continue;
+		out.push(`# ── ${display} ─────────────────────────────────`);
+		for (const ln of localKeys) {
+			if (ln.type !== "kv") continue;
+			if (opts.annotate) out.push(`# from ${display}`);
+			out.push(`${ln.key}=`);
+			out.push("");
+		}
+	}
+	return out.join("\n");
+}
+function countKeys(rendered) {
+	return rendered.split("\n").filter((l) => /^[A-Za-z_][A-Za-z0-9_]*=/.test(l)).length;
+}
+//#endregion
+//#region src/commands/types.ts
+/**
+* Emit a TypeScript declaration file (`env.d.ts`) declaring every key
+* found across the resolved env files. Adds the keys to `NodeJS.ProcessEnv`
+* via interface merging, so `process.env.MY_KEY` autocompletes and
+* type-checks across the project.
+*
+* Keys listed in `config.required` are typed as `string` (always set);
+* everything else is `string | undefined`. When a Zod schema is
+* configured we look at its `.shape` (when present) to pick up the same
+* required-vs-optional information.
+*/
+var typesCommand = {
+	command: "types",
+	describe: "Emit env.d.ts declaring every loaded key on NodeJS.ProcessEnv (string | undefined; required keys narrow to string).",
+	builder: (yargs) => yargs.option("out", {
+		type: "string",
+		default: "env.d.ts",
+		describe: "Output path (relative to cwd)."
+	}).option("stdout", {
+		type: "boolean",
+		default: false,
+		describe: "Print to stdout instead of writing to disk."
+	}),
+	handler: (argv) => {
+		const cfg = argv["__envxConfig"] ?? {};
+		const out = argv["out"];
+		const useStdout = argv["stdout"];
+		const paths = resolveEnvPaths({
+			...argv["env"] !== void 0 ? { envFiles: argv["env"] } : {},
+			...argv["cascade"] !== void 0 ? { cascade: argv["cascade"] } : {},
+			...cfg.autoDetect !== void 0 ? { autoDetect: cfg.autoDetect } : {},
+			...cfg.nodeEnvMap !== void 0 ? { nodeEnvMap: cfg.nodeEnvMap } : {}
+		});
+		const subdir = argv["env-path"] ?? (argv["vault"] ? "vault" : "");
+		const resolved = paths.map((p) => path.isAbsolute(p) ? p : subdir ? resolveCwdOrWorkspace(path.join(subdir, p)) : resolveCwdOrWorkspace(p)).filter((p) => fs.existsSync(p));
+		const keysFromFiles = /* @__PURE__ */ new Set();
+		for (const f of resolved) {
+			const lines = parseEnv(fs.readFileSync(f, "utf8"));
+			for (const k of Object.keys(toRecord(lines))) keysFromFiles.add(k);
+		}
+		const required = new Set(cfg.required ?? []);
+		const schemaShape = extractZodShape(cfg.schema);
+		for (const [k, isOptional] of Object.entries(schemaShape)) {
+			keysFromFiles.add(k);
+			if (!isOptional) required.add(k);
+		}
+		const allKeys = [...keysFromFiles].sort();
+		if (allKeys.length === 0) {
+			log.error("no keys found — load at least one env file or configure a schema");
+			process.exit(1);
+		}
+		const lines = [];
+		lines.push("// Generated by `envx types` — do not edit by hand.");
+		lines.push("// Run `envx types` to regenerate.");
+		lines.push("");
+		lines.push("declare global {");
+		lines.push("  namespace NodeJS {");
+		lines.push("    interface ProcessEnv {");
+		for (const k of allKeys) {
+			const optional = required.has(k) ? "" : "?";
+			lines.push(`      readonly ${k}${optional}: string;`);
+		}
+		lines.push("    }");
+		lines.push("  }");
+		lines.push("}");
+		lines.push("");
+		lines.push("export {};");
+		lines.push("");
+		const rendered = lines.join("\n");
+		if (useStdout) {
+			process.stdout.write(rendered);
+			return;
+		}
+		const outPath = path.resolve(process.cwd(), out);
+		fs.writeFileSync(outPath, rendered);
+		log.success(`wrote ${outPath} (${allKeys.length} key(s), ${required.size} required)`);
+	}
+};
+/**
+* Extract a `{ key → isOptional }` map from a duck-typed Zod schema.
+* Looks for `.shape` (ZodObject). Returns `{}` if the schema doesn't
+* follow that shape — we still emit types for every file-found key,
+* just without the required/optional refinement.
+*/
+function extractZodShape(schema) {
+	if (!schema || typeof schema !== "object") return {};
+	const shape = schema.shape;
+	if (!shape || typeof shape !== "object") return {};
+	const out = {};
+	for (const [k, v] of Object.entries(shape)) {
+		if (!v || typeof v !== "object") continue;
+		const tn = v._def?.typeName ?? "";
+		out[k] = tn === "ZodOptional" || tn === "ZodDefault";
+	}
+	return out;
+}
+//#endregion
+//#region src/commands/watch.ts
+/**
+* Spawn a child process with the loaded env, then watch every resolved
+* env file. On change, kill the child (SIGTERM, then SIGKILL after a
+* grace period) and respawn with a fresh load.
+*
+* Differences from `nodemon`:
+*   - Only env files are watched (not source code).
+*   - Restart preserves the parent shell's stdin/stdout/stderr.
+*   - Cascade-resolved paths are watched (so adding `.env.local` while
+*     watching is picked up if it lives at one of the resolved paths).
+*/
+var watchCommand = {
+	command: "watch [command..]",
+	describe: "Load env files, spawn a command, and restart it whenever any of the resolved env files change.",
+	builder: (yargs) => yargs.positional("command", {
+		type: "string",
+		array: true,
+		describe: "Command to run (e.g. `node app.js`)."
+	}).option("debounce", {
+		type: "number",
+		default: 200,
+		describe: "Debounce window (ms) for coalescing rapid file events."
+	}).option("kill-grace", {
+		type: "number",
+		default: 1500,
+		describe: "Grace period (ms) between SIGTERM and SIGKILL when restarting the child."
+	}),
+	handler: (argv) => {
+		const cfg = argv["__envxConfig"] ?? {};
+		const command = (argv["command"] ?? []).join(" ");
+		const debounceMs = argv["debounce"];
+		const killGraceMs = argv["kill-grace"];
+		if (!command) {
+			log.error("watch: no command supplied. Example: envx watch -- node app.js");
+			process.exit(1);
+		}
+		const loadEnvOptions = () => ({
+			envFiles: argv["env"],
+			variables: argv["variables"],
+			cascade: argv["cascade"],
+			vault: argv["vault"],
+			envPath: argv["env-path"],
+			override: argv["override"],
+			quiet: argv["quiet"],
+			...cfg.autoDetect !== void 0 ? { autoDetect: cfg.autoDetect } : {},
+			...cfg.nodeEnvMap !== void 0 ? { nodeEnvMap: cfg.nodeEnvMap } : {},
+			...cfg.required !== void 0 ? { required: cfg.required } : {},
+			...cfg.expand !== void 0 ? { expand: cfg.expand } : {},
+			...cfg.defaults !== void 0 ? { defaults: cfg.defaults } : {},
+			...cfg.workspaceRoot !== void 0 ? { workspaceRoot: cfg.workspaceRoot } : {},
+			...cfg.schema !== void 0 ? { schema: cfg.schema } : {},
+			...cfg.resolvers !== void 0 ? { resolvers: cfg.resolvers } : {}
+		});
+		const watchedPaths = resolveWatchedPaths(argv, cfg);
+		if (watchedPaths.length === 0) log.warn("watch: no env files exist to watch — running anyway");
+		else {
+			log.info(`watch: ${watchedPaths.length} file(s)`);
+			for (const p of watchedPaths) log.dim(`  • ${p}`);
+		}
+		let child = null;
+		let restarting = false;
+		let pendingTimer = null;
+		const start = () => {
+			const snapshot = { ...process.env };
+			loadEnv(loadEnvOptions());
+			const childEnv = { ...process.env };
+			for (const k of Object.keys(process.env)) if (!(k in snapshot)) delete process.env[k];
+			Object.assign(process.env, snapshot);
+			log.info(`▶ ${command}`);
+			child = spawn(command, {
+				shell: true,
+				stdio: "inherit",
+				env: childEnv
+			});
+			child.on("exit", (code) => {
+				if (restarting) return;
+				const c = code ?? 0;
+				if (c === 0) log.success(`exit 0`);
+				else log.warn(`exit ${String(c)}`);
+				child = null;
+			});
+		};
+		const restart = () => {
+			if (restarting) return;
+			restarting = true;
+			const cur = child;
+			if (!cur) {
+				restarting = false;
+				start();
+				return;
+			}
+			cur.kill("SIGTERM");
+			const t = setTimeout(() => {
+				if (cur && !cur.killed) cur.kill("SIGKILL");
+			}, killGraceMs);
+			cur.once("exit", () => {
+				clearTimeout(t);
+				restarting = false;
+				start();
+			});
+		};
+		for (const p of watchedPaths) try {
+			fs.watch(p, () => {
+				if (pendingTimer) clearTimeout(pendingTimer);
+				pendingTimer = setTimeout(() => {
+					log.info(`↻ env changed — restarting`);
+					restart();
+				}, debounceMs);
+			});
+		} catch (e) {
+			log.warn(`watch failed for ${p}: ${e.message}`);
+		}
+		const shutdown = () => {
+			if (child && !child.killed) child.kill("SIGTERM");
+			process.exit(0);
+		};
+		process.on("SIGINT", shutdown);
+		process.on("SIGTERM", shutdown);
+		start();
+	}
+};
+function resolveWatchedPaths(argv, cfg) {
+	const paths = resolveEnvPaths({
+		...argv["env"] !== void 0 ? { envFiles: argv["env"] } : {},
+		...argv["cascade"] !== void 0 ? { cascade: argv["cascade"] } : {},
+		...cfg.autoDetect !== void 0 ? { autoDetect: cfg.autoDetect } : {},
+		...cfg.nodeEnvMap !== void 0 ? { nodeEnvMap: cfg.nodeEnvMap } : {}
+	});
+	const subdir = argv["env-path"] ?? (argv["vault"] ? "vault" : "");
+	return paths.map((p) => path.isAbsolute(p) ? p : subdir ? resolveCwdOrWorkspace(path.join(subdir, p)) : resolveCwdOrWorkspace(p)).filter((p) => fs.existsSync(p));
+}
+//#endregion
+//#region src/commands/index.ts
+/**
+* Build the yargs CLI for `dotenvx-run`. Global options (env, variables,
+* cascade, vault, override, quiet) are registered on the root so every
+* subcommand inherits them.
+*/
+function createCli(argvInput) {
+	return yargs(argvInput).scriptName("envx").usage("$0 <command> [options]").option("config", {
+		alias: "c",
+		type: "string",
+		describe: "Path to an envx config file (default: discovered from package.json `envx.config` or envx.config.{ts,js,json})."
+	}).option("env", {
+		alias: "e",
+		type: "array",
+		describe: "Env files to load. Default: [\".env\"] (or `envFiles` from config; or every .env* under --env-path when set). Auto-detects environment when omitted."
+	}).option("env-path", {
+		alias: ["dir", "d"],
+		type: "string",
+		describe: "Subdirectory of the workspace root holding the env files (e.g. `vault`). When set and --env is omitted, every .env* file in that directory is included."
+	}).option("variables", {
+		alias: "v",
+		type: "array",
+		describe: "Inline variables in the form name=value (repeatable).",
+		default: []
+	}).option("cascade", {
+		type: "string",
+		describe: "Cascade load order: .env, .env.<cascade>, .env.local, .env.<cascade>.local"
+	}).option("vault", {
+		alias: "va",
+		type: "boolean",
+		describe: "Shortcut for `--env-path vault`."
+	}).option("override", {
+		alias: "o",
+		type: "boolean",
+		describe: "Override existing process.env values. Conflicts with --cascade."
+	}).option("quiet", {
+		alias: "q",
+		type: "boolean",
+		describe: "Suppress dotenv's own output."
+	}).option("profile", {
+		alias: "P",
+		type: "string",
+		describe: "Named profile from `profiles` in envx.config.* — fields override the base config per-field."
+	}).option("public-prefix", {
+		type: "array",
+		string: true,
+		describe: "Framework prefix to mirror PUBLIC_ vars under (repeatable). e.g. `--public-prefix VITE_ --public-prefix NEXT_PUBLIC_`. Overrides `publicPrefixes` from envx.config.*."
+	}).middleware((argv) => {
+		const configPath = argv["config"];
+		let loaded;
+		try {
+			loaded = loadDotenvxConfig({ ...configPath ? { configPath } : {} });
+		} catch (e) {
+			log.error(`config error: ${e.message}`);
+			process.exit(1);
+		}
+		if (loaded.source) log.dim(`config: ${loaded.source} (${loaded.origin})`);
+		let cfg = loaded.config;
+		const profileName = argv["profile"];
+		if (profileName) {
+			const profile = cfg.profiles?.[profileName];
+			if (!profile) {
+				log.error(`unknown profile: '${profileName}' (available: ${Object.keys(cfg.profiles ?? {}).join(", ") || "none"})`);
+				process.exit(1);
+			}
+			cfg = {
+				...cfg,
+				...profile
+			};
+			log.dim(`profile: ${profileName}`);
+		}
+		argv["__envxConfig"] = cfg;
+		argv["__envxConfigSource"] = loaded.source;
+		argv["__envxConfigOrigin"] = loaded.origin;
+		if (argv["cascade"] === void 0 && cfg.cascade !== void 0) argv["cascade"] = cfg.cascade;
+		if (argv["override"] === void 0) argv["override"] = cfg.override ?? false;
+		if (argv["quiet"] === void 0) argv["quiet"] = cfg.quiet ?? true;
+		if (argv["vault"] === void 0) argv["vault"] = false;
+		if (argv["env-keys-file"] === void 0 && cfg.envKeysFile !== void 0) argv["env-keys-file"] = cfg.envKeysFile;
+		if (argv["env-path"] === void 0) {
+			if (cfg.envPath !== void 0) argv["env-path"] = cfg.envPath;
+			else if (argv["vault"]) argv["env-path"] = "vault";
+		}
+		const userPassedEnv = Array.isArray(argv["env"]) && argv["env"].length > 0;
+		let files;
+		if (userPassedEnv) files = argv["env"];
+		else if (cfg.envFiles && cfg.envFiles.length > 0) files = [...cfg.envFiles];
+		else if (typeof argv["env-path"] === "string") {
+			const subdir = argv["env-path"];
+			const discovered = listEnvFiles(resolveCwdOrWorkspace(subdir));
+			if (discovered.length > 0) {
+				files = discovered;
+				log.dim(`env-path ${subdir}: discovered ${String(discovered.length)} file(s) — ${discovered.join(", ")}`);
+			} else {
+				files = [".env"];
+				log.warn(`env-path ${subdir}: no .env* files found; falling back to [".env"]`);
+			}
+		} else files = [".env"];
+		if (typeof argv["env-path"] === "string") {
+			const dir = resolveCwdOrWorkspace(argv["env-path"]);
+			files = files.map((f) => path.isAbsolute(f) ? f : path.join(dir, f));
+		}
+		argv["env"] = files;
+	}).command(runCommand).command(printCommand).command(debugCommand).command(encryptCommand).command(decryptCommand).command(expandCommand).command(rotateCommand).command(infoCommand).command(doctorCommand).command(templateCommand).command(diffCommand).command(hookCommand).command(typesCommand).command(watchCommand).command(auditCommand).command(bakeCommand).help("h").alias("h", "help").version().strictCommands().demandCommand(0).recommendCommands().epilog("Examples:\n  envx -- node app.js                # load .env (auto-detected) and run\n  envx --env dev -- pnpm start       # load .env.dev\n  envx print DATABASE_URL            # print one variable\n  envx debug --cascade prod          # show resolved paths\n  envx encrypt -e .env.prod --secrets # encrypt only conventional secret keys\n  envx decrypt -e .env.prod -k FOO   # decrypt only FOO\n  envx expand -e vault/.env.prod     # decrypt + expand to stdout\n  envx doctor                        # health check (CI gate)\n  envx template --check              # verify .env.example is up to date\n  envx diff .env.dev .env.prod       # compare two env files\n  eval \"$(envx hook bash)\"           # inject env into the parent shell\n  envx types                          # emit env.d.ts for typed process.env\n  envx watch -- node app.js          # restart on env change\n  envx audit                         # scan repo for plaintext secrets\n  envx --profile staging -- node app.js  # apply named profile from envx.config.*");
+}
+//#endregion
+export { createCli as t };
+
+//# sourceMappingURL=commands-D3eQPQO6.js.map